Changes: v2.0.0 → v2.1.0
The verifiability campaign previewed in v2.1.0-rc1 ships final, and it lands alongside the largest coverage pass since v1.0.0. rigscore now runs 28 checks — 13 scored plus 15 advisory (the rc1 count was 27; the 28th is the new semantic judge below). No scored weights moved: the Security axis and every published badge are unchanged.
| Change | What it does |
|---|
Opt-in --semantic judge (semantic-tools) | Catches obfuscated MCP tool poisoning — a hidden directive paraphrased into a tool description so the static regex checks never fire. OFF by default and makes zero external calls unless you pass --semantic; then it hands each tool description to your own first-party claude -p (Max-plan CLI — never an API key, never an SDK) to classify benign vs. suspicious. Each description is wrapped in a data-only frame so a poisoned tool cannot hijack the judge, and a missing claude skips gracefully. Advisory (weight 0), enforcement-grade pattern, finding id semantic-tools/suspicious-tool-description. |
Coverage — more of your rig is scanned by default
| Change | What it does |
|---|
| Directory-form rule sets | .cursor/rules/*.mdc, .windsurf/rules/, .clinerules/ (directory form), .github/instructions/*.instructions.md, plus .amazonq/rules/ and .kiro/steering/ are read with no .rigscorerc.json opt-in. A repo governed only by .cursor/rules/*.mdc no longer scores “no governance.” |
| Nine more AI clients | Amazon Q Developer, Roo Code, Cody, JetBrains Junie, Goose, Warp, Kiro, Qwen Code, and Crush join the registry — their governance, MCP, and credential files are now scanned, rug-pull-pinned, and inventoried like every other client. |
| Claude Code’s real user store | credential-storage and network-exposure now scan ~/.claude.json (user- and local-scope mcpServers), where plaintext secrets in server env maps were previously invisible. |
| Broader secret detection | Six more provider token formats (GitHub ghu_/ghs_/ghr_/github_pat_, Google GOCSPX-, legacy OpenAI, Shopify, Databricks), each \b-anchored and length-bounded to keep false positives low. |
Transparency & auto-fix
| Change | What it does |
|---|
| Enforcement-grade labels | Every check now carries a [mechanical] / [pattern] / [keyword] tag in the score line and on every SARIF result, so you can see how each point is earned — deterministic config check vs. regex/structural vs. presence detection. Display-only: no scoring, weight, or dependency change. |
| Non-destructive config-merge engine | rigscore init --<pack> --merge (alias --harden) hardens a config that already exists: absent keys are added, arrays union by value, YAML comments and order survive, and any value you already set is kept and reported — never clobbered. Idempotent on a second pass. |
More --fix auto-fixes | Auto-remediation for the MCP auto-approve bypass (CVE-2025-59536), ANTHROPIC_BASE_URL redirects (CVE-2026-21852), Docker privileged / socket-mount / cap_drop / no-new-privileges, and the coherence undeclared-MCP-server finding — each additive or surgical, idempotent, and never rewriting a corrupt or per-user homedir file. |
Verifiability — now final
| Change | What it does |
|---|
| Signed releases + provenance + SBOM | Every release ships a Sigstore-backed build-provenance attestation and a CycloneDX SBOM; scripts/verify-release.sh downloads the assets and runs gh attestation verify. See verify rigscore. |
Per-finding findingId coverage | verify:docs now fails when any literal finding id a built-in check emits is missing from docs/FINDING_IDS.md — the ids consumers pin for SARIF ruleIds, --ignore, and baseline diffs. |
| Distribution | pre-commit.com framework support (- id: rigscore), a GitHub-Marketplace-listable composite action, and config extends for sharing one hardened .rigscorerc.json across repos. |
Install
1npx github:Back-Road-Creative/rigscore
No accounts, no telemetry, no network calls by default. MIT licensed.
github.com/Back-Road-Creative/rigscore